Embedded Systems Hacking and 
My Plot To Take Over The World 

Version 1.5 



What arc we going to do -tonight, Brain? 



the same thing we 
do every night, Pinky,. 



TRY AND TAKE OVER THE WORLD! 



Paul Asadoorian 

Founder & CEO, PaulDotCom Enterprises 

http : //pauldotcom. com 



»aul@pauldotcom. com 



Who am I? 



I had this really boring slide about who I am 

Then I realized that's not really who I am 

What follows is the "Powerpoint" version of "a 
little about me"... 



PaulDotCom Security Weekly 

http://www.pauldotcom.coin 
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• 2005 - Present 
•~ 200 episodes 
•Awards, blah 
•Thursdays 7PM 
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Hack Naked 
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Why Hack 
Naked? 
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Computer Destruction 



Bfe> 




^ 



■ 






Bt 


. \ . 


LJVtfe.'' 


1 


il 






»S_. ' 




- 1 


/ 










! 


1 l< 






















H fiMM^^^pB 








' 1 










r**^ 




( If LHf 








K-~" 


■ 


vV ■•---■. '■ -V'*'"* 


B 


-— «*j- 




p. 






i '"" -" 




y . c : - 






£■:"-:: 






1 J 




"7, 






S£; ' *' 



SecuMty Wnkl* 



auldotcom. com 



August 2010 



PaulDotCom 

















TOflffil 






\ (vttp./^pauidotcom.com 




W/^ 1 


i 


r 



\l- 



Jl 



John "Father John" Strand Paul "Salad Shooter" Asadoorian Larry "Dirty Uncle" Pesce 




r 



"Byte_Bucket" 
Mick "Jr. Salad Shooter" Douglas ^^^^^ Carlos "DarkOperator" Perez 





Mike "The Original Intern" Perez Mar|< Ba tt Darren "Girly Mustache" Wigley 



SecuMty Wnkl* 



auldotcom. com 



August 2010 



Hail Nessus!" 



My day job: I work for Tenable Network Security 
as a "Product Evangelist" 

I use Tenable products and write blogs, publish 
podcasts, teach courses, and produce videos 



httD://bloa.tenablesecuritv.com 
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Taking Over The World 



Many have tried 

No one truly successful 

What are the three things you need 
to take over the world? 

- Yes, I've spent time thinking about this 

All geeks like deal with 
"specifications" and "Requirements" 
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Requirements For World 

Domination 



1. Money - You need to buy stuff, like armies, 
countries, pay people off, etc... 



2. Power - You need the ability to use those 
resources to influence & control people 



3. Stealth - If everyone knows about your plan, it 
is doomed from the beginning 
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Using Embedded Systems To 

Make Money 



Video games - Most are involved in commerce 
and network connected 

Entertainment - Apple TV, Roku, all link back 
to your credit card somehow 

Wireless routers - Route your traffic when 
doing online banking, Paypal, Ebay, etc... 

Printers/ Fax - How many times have you 
printed sensitive information? 
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Using Embedded Systems To 

Gain Power 



Network traffic (e.g. information) flows through them 
Information = Power 

- The ability to manipulate information is powerful 
Multiple computers can be controlled at once 
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Using Embedded Systems To 

Gain Power 



Embedded systems are an integral to 
controlling water, electricity, and 
sewage treatment 




See research from Josh Wright 



BflHiB IMCTMiEBSBlgia 



and Travis Goodspeed (httpj 
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Benefits To Targeting 
Embedded Systems - Stealth 



No one pays attention to them until they are 
broken 

Security is left out to save resources, make it 
easy, and money (as is logging) 

■ Vendors are focused on profit, which also never 
equals security 

■ Competition has driven vendors to cut costs to 
make products cheaper I 

Potentially no interactive user (mouse/ I 
keyboard) I 
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Benefits Of Targeting 
Embedded Systems - Stealth 



Embedded systems contain vulnerabilities that 
go unnoticed because everyone looking for 
them does not have every device that was ever 
made 

"Can you send me a free router in exchange for 
some security testing?" 
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They Are Everywhere 



SSID Stats (top looo) 


SSID 


Total 


Percent 


<no ssid> 


1957492 


9.660% 


linksys 


1751543 


S.644% 


default 


541572 2.672% | 


NETCEAR 


491S61 


2.427% 


Bel kin 5 4g 


227715 


1.123% 


no_ssid 


206541 


1.019% 


Wireless 


200543 0.939KJ 


hpsetup 


151730 0.746% 


WAN 


99043 


0.486% 


ACTIONTEC 


82407 


0.406% 



Manufacturer Stats 


Manufacturer 


Total 


Percent 


Linksys 


2695479 


13.302SK! 


D-Link 


131069S 


6.4693S 


Cisco 


1153941 


5.694ft 


Dell 


689249 


4.368ft 


Netgear 


798122 


3.938ft 


2 wire 


448893 


2.215ft 


Belkin 


442110 


2.181ft 


Symbol 


300751 


1.46436 


Apple Computer 


223718 


1.104% 


Lucent 


199088 | 0.982K 



httD://wi?le.net/ffDs/ffDs/main/ssidstats 
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In Places Like Boston 
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And They Are Vulnerable. . . 



Researchers scanning the internet for vulnerable embedded 
devices have found nearly 2 1,000 routers, webcams and VoIP 

products open to remote attack. Their administrative 

interfaces are viewable from anywhere on the internet and 

their owners have failed to change the manufacturer's 

default password. 

httb:/ lwww.wired.com/threatlevel/2009/ I O/vulnerable- 



m 
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The researchers have provided 
ISPs with their findings in the 
hope that they will do something 
to protect vulnerable customers.' 



And No One Wants To Be 
Responsible For Them 



Chen said he contacted Time Warner's security department four 

weeks ago and was told that the company was aware of the 
security vulnerability but "cannot do anything about it," 



Time Warner's Dudley says the SMC80I4 
modem /routers are just a small portion of the 
14 million devices its customers are using. 



httD://www.wi red.com/threatlevel/2009/ 1 0/time-warner-cable/ 
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What if "Bob" Scanned the 




Use Google, find most popular ISPs that provide cable 
modem routers to users (or other interesting devices) 

Use ARIN todiscover the IP address ranges assigned to 
those ISPs 

Use N map to discover all devices that have port 80 open 
and identify the service/banner 

Manually poke through results and see what you find 
- Or automate something to find vulnerabilities 
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Example Vulnerabilities We 

Could Look For 



Wireless Routers - TONS of FAIL on the Internet 

■ Default, weak, or missing passwords are COMMON 

- Linksys HNAP - Information leakage and lame denial of service 
with no mitigation 

Printers - JetDirect authentication weaknesses 
Roku Player - Entertainment device 
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Shodan is Handy For 
Exploring The Inernet 



A known vulnerability or poor 

implementation in "Huawei" 

routers helps take over countries 



CX SHODAN 

\^ Computer Search Engine 




*>■■ Top countries matching your sear 




Venezuela. bollVaTlall KUUUWIC"PT 



China 
United States 




201.244.139.14 



2010 



H1TP/1J0 4UI Unauthrtriztd 
Server: m icro_httpd 
Cj*:hL'-Cinitnjl: no-cache 



A whois lookup returns due: s^oi jui^joo i3:24:.wgmt 

COmprehenSiVe reSUltS WWW-Authentinrte: BuRicr:!iliti^"HuamiS[iimlAXM]^H(r 

Content-Type: text-'hlml 
Cunnectum: cLme 



Scanning the Internet is 

Time Consuming 



• Scanning the Internet is fun (so Bob tells me) 

• It takes a long time, even when limiting to 
one port 

# nmap --version-light --open --min-hostgroup 1024 -T4 -n 
-PN -oG results. gnmap -sV -p 80 -iL isp. targetips 

524288 IP addresses (32620 hosts up) scanned in 9769.46 seconds (2.7 hours) 
2272512 IP addresses (2272512 hosts up) scanned in 135156.66 seconds (37.5 Hours) 
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Finding Devices Without 
Scanning The Internet 



NTP could be used to identify devices 



ri]RMililiM#ItfsiiiTsUlAViitsU[aiii][tiaMtItl<tt[t]iiy«l 



network-time-Drotocol-ntD-fun.html 



Wai 



DNS zone transfers from certain places reveal 
interesting results 

Brute-forcing DNS sub-domains can reveal 
hosts too 



W^iaiiiro^^^B^^^^^^riM^ri^B^ffilMM 



iD-cameras-Dt-6i 
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NTP: All your ntp are point 

to us 



Netgear shipped thousands of routers in 2003 
and pointed them to ntpl.cs.wisc.edu 



gsTiiRw rasigaiin yj 



Issued firmware fix, but who does that? 

Routers still point to it, and thanks to HD Moore 
we can query it easily with metasploit 

Gives us a list of Netgear routers that Bob would 
attack 
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Metasploit NTP Module 



msf > use auxiliary/scanner/ntp/ntp monlist 

msf auxiliary(ntp_monlist) > set RHOSTS ntpl.cs.wisc.edu 

RHOSTS => ntpl.cs.wisc.edu 
msf auxiliary(ntp_monlist) > run 

[*] Sending probes to 1 28. 1 05.39. 1 I -> 1 28. 1 05.39. 1 I (I hosts) 
[*] 1 28. 1 05.39. 1 1 : 1 23 205.237. 1 47. 1 1 :23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 86.29.3 1 . 1 76:23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 209. 1 92. 1 1 7. 1 7:23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 70.54.203. 1 93:60 1 28 ( 1 28. 1 05.39. 1 I ) 
[*] 128.105.39.11:123 222.254.78.74:10001 (128.105.39.11) 



Lots of DSL/Cable 
Providers on the list 

What are chances 

these users have 

not updated 

firmware? 



. lv. cox.net. 

7 . wi . res . rr . com 



71.161.67.98 domain name pointer adsl-67-161-71.shv.bellsouth.net. 
76.72.108.68 domain name pointer ip68-108-72-76.lv.lv.cox.net. 
117.131.29.65 domain name pointer CPE-65-29-131-117.wi.res.rr.com 
45.21.110.76 domain name pointer c-76-110-21-45.hsdl.fl.comcast.net 
61.195.100.98 domain name pointer rrcs-98-100-195-61. central .biz . rr . com. 
164.133.254.76 domain name pointer ads 1-7 6-2 54-133-1 64 . dsl . skt2ca. sbcglobal.net. 
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DNS Zone Transfer - MUCH 



# time host -la ourlinksys.com 66.161.11.121 > 
ourlinksys . com. out 



real 0m2.564s 



user 0m0.456s 
sys 0m0.068s 

# wc -1 ourlinksys .com. out 120815 ourlinksys .com. out 



This no longer works with the above domain since I accidentally published 

the information without sanitizing. 



Check out Metasploit's "gather/dns_enum" module written by Carlos Perez 
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D-Lin 




SYSLOG 



EMAIL SETTINGS 



SYSTEM 



FIRMWARE 



DYNAMIC DNS 



SYSTEM CHECK 



SCHEDULES 



ADVANCED 



TOOLS 



DYNAMIC DNS 

The DDNS feature allows you to host a server (Web^ FTP, Game Server, etc..) using a domain 
name that you have purchased [www.whatever70urnameis.com) with your dynamically assign* 
IP address. Most broadband Internet Service Providers assign dynamic [changing) IP addresses] 
Using a DDNS seivice provider, your friends can enter your host name to connect to your game 
server no matter what your IP address is. 



Sign up for D-Link's Free DDNS service at www. DLi n kDDNS .co m . 
( .5 jve Settings j f Don't 5jve Settings j 



DYNAMIC DNS 




Enable Dynamic DNS: 

Server Add re 

/ Select Dynamic DNS Server 
www.DLinkDDNS.com 
www.DynDN5.com (Custom) 
www.DyriDN5.com (Free) 



TtiLuvuuiiJ ur 
Verify Password or Kev 
Timeout 




(e.g.: me. mydomain.net) 



576 
Status: Disconnect 



(hours) 
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DNS Is The Internet 



HUAW 



£3 SnwlA\MT880 
;■■{*] AT^I Setting 
BQ Other Setting 
{?] LAN Cnntie 



DHCP Mode 



Use this page to configure DHCP. 



{*] pjV";VT-":"j"] 

(?) NAT 

{*] ADSL Mode 
{*] IF Route 
S-f^J Advanced Function 
|-{S) HP 
-j^l Security 
r-jSl Time Zone 
j-jSl Remote Managemenl 
■{?] LPnF 
B-f^J Maintenance 

\£\ Lser Management 
{*] DHCP Table 
j?| Diagnostic 
■jS| Statistics 
■{*] Restart 
ffr] Firmware Upgrade 
■■{*] Logout 



Scanning the entire ISP 

reveals thousands of 

devices with weak security 





DHCP 


DHCP 


1 Server ' i] 


Client IP Pool Starting Address 


192.168.1.2 


Size of Client IP Pool 


32 


Primary DNS Server 






Secondary DNS Server 




Remote DHCP Server 


N/A 




DHCP Lease Time 


3 Days rours j Min 



C Apply 3 C Reset 3 



Copyright © 2005 All Rights Reserved. 
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Global Reach 



IBELKIN 



'ANCED SETUP 



AVSL Hode*tvllGitf&r S&ttip Utility 



ADSL Parameter Setting: 



Country: 

Username: 

Password: 



[ Australia 



CidirecLtelstra.net 



Line Status: 
Line Mode: 

Connected/NO Connection: 
WAN IP: 



CONNECTED 
G 9925 (ADSL2+) 
CONNECTE D 
1.37 



f Disconnect J Connect 1 
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This Required NO PASSWORD 



ftOO 




Ai riles RT-lll 


+ f^hitp://| 


(/cgi-bin/webcm 


& (Q-Cocgle 




Pfl AirTies 

^^■^H w-S'alas-s. networks 




* W ■ 

AirTies RT-1 1 1 ADSL2+ 4 Portlu Modem 



ANASAYFA 

ADSL 

YEREL AG 

FIREWALL 

NAT 

ROUTING 

YONETtM 

DDNS 

ARA^LAR 

RAP OR 



Ho§ Geld 



Bir AirTies urununu tercih ettiginiz ign AirTies ailesi olarak te^ekkur ederiz. 

Modennin butun ozelliklerini ogrenmek ve en verirmli sekilde kullanabilnnek i^in kullanma kilavuzunu dikkatle 

okumamzidneririz. 
Herhangi bir sorunla kar^ila^tiginizda AirTies Qagn Merkezi Hattina 0212-4440239 nunnarali telefondan 

ula^abilirsiniz. 
Modeminizin cali^na durunfiu ile ilgili bilgiler a^agida sunulmu^tur. 



Internet Bag la nti si: 


Baglanti var 


ADSL Baglantisi: 


Baglanti var 


ADSL Hizi: 


512 /1024 kbps 


Internet IP Ad resi: 


^^^^^^m 


ADSLMACAdresi 


00:1C:A8:4Q:70:C9 


Ethernet: 


Baglanti var 


DHCP Sunucu: 


Etkin 


Firmware Surunfiu: 


10 13 


Seri No: 


AT003080 10072 90 


Sistermin Agk Kalrma Suresi: 


188 Saat 1 Dakika 


Sistem Saati: 


17 5ubat2010 05:58:28 
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Nichole 



Richie can do it! 



'Airhead socialite Nicole Richie broke into the Twitter account of her chums 
last week as part of a prank that proves just about anyone can become a 

password hacker." 

httD://www.theregister.co.uk/20IO/04/06/richie twitter hacking Drank/ 



She socially engineered in 
order to get the passwords! 




Most devices do not even 

require this level of 

sophistication! 




Rumour: Nicole will attend Defcon 2010 and 
give a presentation on hacking Twitter 
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The Password Is Already 




P-661HW-D1 



Welcome to your rauter Configuration Interface 
Enter your password and press enter or click "Login 1 

y Password: 




Social engineering not required! 
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This Gets Scary 



A certain ISP based in Turkey left default or 
blank passwords on seemingly every router 

This helps in our plot for world domination: 

- Target geographic regions, exploit vulnerabilities exposed by 
that particular ISP+Cable Modem combo 

- Change DNS servers and control user's "Internets" 

- Change passwords and lock out user and ISP (not too 
stealthy) 

- Upload new firmware to provide new functionality (like 
password logging, SSL MiTM, etc..) 
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EPIC WIN! 



r\ rs 



Linksys Setup Wizard 



LlNKSYS by C 



ISCO 




Create a new Device Password 

Your Wireless Bridge cones with a default password. You must create a new, unique 
password for your Wireless Bridge. This password will be used to access your device's 
advanced settings. 

Enter a new password below and click Next. 



Password: admin 



i. 

(^ Learn mora about device pa&&word& 

The new password must be different from the default password, which Is n admin n . 

WET610N setup program 

forces you to change the 

default password of "admin" 

to something different! 



( < Back i i, " Next > ) 



EPIC WMJ FAIL! 



e^^ 



Linksys Setup Wizard 



LlNKSYS'by Cisco 




Set Up Wireless 



Below are your settings for your Wireless Bridge. Linksys highly recommends that you 
print your settings or write them down. 



Device Password: adrninl 

Network Name (SSID): pauldotcon-bridge 




5? Save these settings in a text file on my desktop. 



Don't let them save it in a 
clear text file! Noooooooo! 



{ Next > ) 



2010 



to Control Routers 



• Step 1 - Buy router 

• Step 2 - Find vulnerability 

• Step 3 - See what DDNS providers it supports by default 

• Step 4 - Try zone transfer, if fails, go to step 5 

• Step 5 - Brute force subdomains of DDNS provider 

• Step 6 - Check NTP settings, see if it points to an NTP server by 
default (unlikely) 

• Step 7 - Scan the Internet at random (or target and ISP and look 
for that router (Slow) 



Step 8 - Exploit vulnerabilities and control routers 
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Can we at least get a 
USERNAME with a password 



oo 



64 



14 



+ ^http://64| 



L4/ 



£jr Loading. 



[VI 



invent 



Home 



Device Info 



Other Links 

Help 
Support 
HP Home 



Status; 




Netw 



[ 




To vie w this pa ge, you must log in to this area 
on ■.■ | |l-l.=-' 

HPJetdirect Networking (password only, no 
username required) 

Your password will be sent unencrypted. 

Name: 



zi 



Password: 
J Remember this password in my keychain 

(^ Cancel ) ( Log In *) 




System Contact: 
System Location: 



Paper jam 



WQj Google 




HP JetDirect: J6035B 

Firmware Version: M.24.06 
IP Address: 6 | |14 

H ard ware Ad d res s : Q00 1 E && 1 3&35 
Admin Password: *Set> 



( Refresh^ 
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Roku 




press up 

press down |# nc 1 92. 1 68. 1 .240 8080 

press left D0C9DP009064 

press right ETHMAC 00:0d:4b:4c:29:5e 

press select WIFIMAC 00:0d:4b:4c:29:5f 

press home > 

press fwd ' ' 

press back 
press pause 

http://forums.roku.com/viewtopic.php? 
t=20 1 06&sid=f0702e3bbba722ac7f I a59307209782c 



SecurUv Wnkl* 



auldotcom. com 



August 2010 



World Domination Propaganda 




httD://www.i-hacked.com/content/view/274/48/ 
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Even More Attacks 



HD Moore found several flaws in VxWorks, 
scanned 3.1 billion IP addresses and found 
250,000 systems exposed to the Internet 

- httD : //bloa . metasDloit.com/20 10/08/vxworks- 



vulnerabilities.html 



Craig Heffner discovered a DNS rebinding attack 
on several routers allowing attackers to gain 
control of administrative interfaces 



rtlr l IMH HB !BBB1 HPBD U l VliS •Im* h 
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Even More Attacks 



Ki-Chan Ahn and Dong-Joo Ha created malware 
for Nintendo Wii and DS systems 

- httD://aames.venturebeat.com/2010/07/31/live-demos-of- 



hackina-the-nintendo-ds-and-the-wii-to-SDread-malware/ 



Barnaby Jack remotely attacked two different 
ATMs and "made the money come out" (without 
a card+pin #) 

- httD://www.voutube.com/watch?v=awMuMSPW3bU 
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Potential Linksys 
Vulnerability 



Reported to Cisco PSIRT Feb 17, 2010 

HNAP request can crash admin web server on 
certain models with certain firmware versions 

Low impact vulnerability discovered by 
accident while trying to send a valid request 

The HNAP request format was taken directly 
from Cisco's own documentation 
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Curl Rules 



curl htti 



192. 168.1. 70 :80/HNAPl/ -v --basic \ 



--user admin : admin -H \ 

1 SOAPAction : "http : //purenetworks . com/HNAPl 



GetWLanRadioSecuritv" f \ 



--data @xml/GetWLanRadioSecurity . xml 



<?xml version-' 1.0" encoding="utf-8"?> 

<soap:Envelope> 

<soap:Body> 

<GetWLanRadioSecurity xmlns=" http://purenetworks.com/HNAP I / " A 

</soap:Body> 

</soap:Envelope> 
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Lame? 



• Turns out to not be reproducible (my router was a 
DD-WRT upgrade) 

• Certainly lame. However shows just how fragile 
these devices and protocols are 

• What would happen if you were to actually fuzz 
HNAP? 

• Release notes of firmware running on device say 
"Fixed HNAP issue" 

• However, there is no way to disable HNAP 
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But Seriously, What Do We 

Do About It? 



I can show you embedded systems security fail until 
you are tired of hearing about it (which was probably 15 
minutes ago or longer) 

I could go out and find more vulnerabilities and talk 
about them 

Some problems are implementation-based, nevermind a 
Oday (e.g. no HNAP disable) 

So how do we fix it? 
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I hope we can agree on one 

thing 



Embedded systems security sucks! 



4 



Not even a giant pink binky will stop me from talking about it 



Security 




FAIL 



www.securitvfail.com 



www . securi tvf ail . com 



Used to redirect to ww.grc.com (Gigidy) 

It is now a public Wiki where people can write mini- 
articles on security failures 

First major section will be dedicated to embedded 
systems 

Write-in about how embedded security has failed you 

- ODays are okay too, but not sure that will help 

Raise awareness and work to change the industry to 
implement better security on devices 
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www . securi tvf ail . com 



Some GOALS to get us started: 

We want vendors of embedded systems to: 

- FORCE the user to select the password 

- Allow users to disable protocols 

- Only enable secure management protocols by default (HUPS, 
SSH) 

We want ISPs to: 

- Block inbound port 80 on user subnets 

- Manage customer devices properly and implement security 
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Sign up for an account 



• Email me if you want an account in the mean 
time 

• Or just send me your stories anonymously 

• This is a non-profit project 

- Its sole purpose is to raise awareness and hopefully work 
with the industry to change 
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So what about World 

Domination? 





^ 1 


i « .-•.>" i 
i 

#j 1 



TAKING OVER THE 
WORLD 



n - Fundi tK it i 
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Things I wanted to cover 
but ran out of space 



The "Chuck Norris" worm, which could a version 
of the psybOt? 

Static analysis of device firmware, mounting the 
filesystems, finding vulnerabilities 

Analyzing video game systems, Tivo, and Blue- 
Ray players as they are network connected 

Wireless type worms and default Wifi settings 

Segmentation is just a band-aid 
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htt 



Don't Forget: 

www . securitvf ail . com 



Presentations: http: 
resentations.html 



•audotcom.com, 



• Radio: httD://Dauldotcom. com/radio 



■ - - ■ 

• Live Stream: httD://Dauldotcom. com/live 



• Forum: htto: //forum. oauldotcom.com/ 



A IP 



Webcasts: httD://oauldotcom.com/webcasts 



■ - - ■ 

Insider: httD://oauldotcom.com/insider 



swccunauldotcom.com 



http://pauldotcom.com 



SecurUv Wnkl* 



auldotcom. com 



August 2010 



